nss-ecm: fix logic in rule addition

When using `nft insert rule` the rule is inserted on top of the `forward_wan` chain, which bypasses any filtering in place. Instead, append the rule to the end of the chain. Other changes include renaming chain `RATE-LIMIT` to `ECM-RATE-LIMIT` for better rule classification, and `shellformat` formatting. Signed-off-by: Sean Khan <datapronix@protonmail.com>
2025-12-16 16:21:53 +00:00 · 2024-07-08 11:12:44 -04:00 · 2024-07-08 11:12:44 -04:00 · baed4d5a9e
commit baed4d5a9e
parent 4c8e0ae9f2
1 changed files with 23 additions and 22 deletions
--- a/qca-nss-ecm/files/qca-nss-ecm.firewall
+++ b/qca-nss-ecm/files/qca-nss-ecm.firewall
@ -3,31 +3,32 @@
 FW_SCRIPT="/etc/init.d/firewall"

 if grep -q "fw3" "$FW_SCRIPT"; then
-    if ! iptables -nvL | grep -q "Chain RATE-LIMIT"; then
-        iptables -N RATE-LIMIT
+  if ! iptables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
+    iptables -N ECM-RATE-LIMIT
+  fi
+
+  iptables -F ECM-RATE-LIMIT
+  iptables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+  iptables -A ECM-RATE-LIMIT -j DROP
+  iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT
+
+  [ -n "$(command -v ip6tables)" ] && {
+    if ! ip6tables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
+      ip6tables -N ECM-RATE-LIMIT
    fi

-    iptables -F RATE-LIMIT
-    iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-    iptables -A RATE-LIMIT -j DROP
-    iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-    [ -n "$(command -v ip6tables)" ] && {
-    if ! ip6tables -nvL | grep -q "Chain RATE-LIMIT"; then
-        ip6tables -N RATE-LIMIT
-    fi
-
-    ip6tables -F RATE-LIMIT
-    ip6tables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-    ip6tables -A RATE-LIMIT -j DROP
-    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-    }
+    ip6tables -F ECM-RATE-LIMIT
+    ip6tables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+    ip6tables -A ECM-RATE-LIMIT -j DROP
+    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT
+  }

 elif grep -q "fw4" "$FW_SCRIPT"; then
-    if ! nft list chain inet fw4 RATE-LIMIT > /dev/null 2>&1; then
-        nft add chain inet fw4 RATE-LIMIT
-    fi
+  if ! nft list chain inet fw4 ecm_rate_limit > /dev/null 2>&1; then
+    nft add chain inet fw4 ecm_rate_limit
+  fi

-    nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
-    nft add rule inet fw4 RATE-LIMIT counter drop
-    nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
+  nft add rule inet fw4 ecm_rate_limit limit rate 1000/second burst 1000 packets counter return
+  nft add rule inet fw4 ecm_rate_limit counter drop
+  nft add rule inet fw4 forward_wan ct state new counter jump ecm_rate_limit comment "!fw4: ECM Rate Limit 1000/pps"
 fi